A recent Google SEO Office Hours included a question about whether a security header confers an influence on ranking.
It’s not as far-fetched as it seems at first glance because a security header like the HSTS header plays an important role in ensuring a secure HTTPS connection, and HTTPS is a lightweight Google ranking signal.
HSTS security header
A header is a response that a server provides to a browser (or crawler).
The most well-known header is the response header such as the 404 error response or the 301 response header.
The purpose of an HTTP header is to provide additional metadata about the web page that a browser or crawler is requesting.
Security headers are a special group of headers that apply different types of security to protect against various malicious attacks and keep the site safe for users.
An HSTS security header is a response that tells the browser that the web page should only be accessed via HTTPS, never HTTP, and to request HTTPS next time.
Using this header is better than just using a 301 redirect.
When a browser accesses a site using HTTP and is redirected to HTTPS, the next time the browser requests a web page, it will request an HTTP page again, causing the server to do the redirect again.
The important consideration is that the site that only uses a 301 redirect is still vulnerable to a man-in-the-middle attack.
The HSTS header prevents this from happening by making the browser only request an HTTPS page, making the entire site more secure.
Therefore, a site that uses an HSTS header is more secure with respect to HTTPS.
Does the HSTS header affect rankings?
The question asked of John Mueller:
“Does the integration of security headers such as HSTS have an influence on classification?”
John Mueller replied:
“No, the HSTS header does not affect search.
This header is used to tell users to go directly to the HTTPS version and is commonly used in conjunction with redirects to the HTTPS versions.
Google uses a process called canonicalization to choose the most appropriate version of a page to crawl and index; it is not based on headers like those used for HSTS.
Using these headers is of course great for users.
HSTS is a good security practice
HSTS is a message to browsers, and according to John Mueller, Googlebot doesn’t rely on headers.
However, good security practices are something any site should practice, regardless of whether they confer ranking influence or not.
Chrome hosts an HSTS preload list that all browsers use to automatically use HTTPS, it’s hard-coded into the browser.
Instructions on how to do this can be found at HSTS preload website.
Listen to the Office Hours discussion at minute 4:57:
Featured image by Shutterstock/ViDI Studio
